nmh and Linux-Containers? [tech]
Jun. 16th, 2023 08:03 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
sidereaHey, *nix peeps! I have an obscure question.
I use nmh, a commandline MUA. I have been assured that I can't run nmh in a jailed shell. Not talking about installation, just execution. I don't know why. If any of you already tried explaining to me why, I've forgotten the explanation (sorry).
Well, I just talked to a vendor of VPSes that says they aren't using jailed shells, they're using "Linux-Containers (LXC)".
What I want to know is: okay, can nmh be run in LXC?
Secondarily, I would like to know what the issue is with jailed shells and nmh so that I might plausibily figure out for myself whether LXC has the same problem.
But mostly I just want to know if I could plausibly migrate to this vendor's VPS.
TIA,
Siderea
Edit: I feel the need to share this. I just found another, different company, offering managed VPS, the website for which says:
I use nmh, a commandline MUA. I have been assured that I can't run nmh in a jailed shell. Not talking about installation, just execution. I don't know why. If any of you already tried explaining to me why, I've forgotten the explanation (sorry).
Well, I just talked to a vendor of VPSes that says they aren't using jailed shells, they're using "Linux-Containers (LXC)".
What I want to know is: okay, can nmh be run in LXC?
Secondarily, I would like to know what the issue is with jailed shells and nmh so that I might plausibily figure out for myself whether LXC has the same problem.
But mostly I just want to know if I could plausibly migrate to this vendor's VPS.
TIA,
Siderea
Edit: I feel the need to share this. I just found another, different company, offering managed VPS, the website for which says:
Pre-Sales:They're in Texas, which doesn't seem like I place I want to have a company I am reliant on. Otherwise, I'd be mightily tempted just give them a call when, uh, they open.
Available:
Monday to Friday
2:30 AM to 5 PM (GMT -6, CDT)
(no subject)
Date: 2023-06-17 12:41 am (UTC)If a jailed shell does not include a mailspool, nmh won't work. Typically that means that the jail does not include /var/spool/mail/siderea.
(no subject)
Date: 2023-06-17 12:45 am (UTC)https://github.com/leahneukirchen/mblaze
which is billed as 'mh for Maildirs'.
(no subject)
Date: 2023-06-17 02:24 am (UTC)Edit: fascinating. Thanks again!
(no subject)
Date: 2023-06-17 02:24 am (UTC)So... is it possible to have mail delivered directly into the user account in a jailed shell? Either just into a spool like in /var/spool/mail/ only in the user account, or otherwise handing it off to procmail calling the user's .procmailrc? I can take it from there.
(no subject)
Date: 2023-06-17 07:10 am (UTC)The main issue with jailed shells is that they tend to have a very restricted view of the file system, which generally does NOT contain vast chunks of /var. A container has many of the same constraints.
The problem with delivering mail through procmail that I can see (speaking as a hypothetical service provider here) I would not want a user who normally "lives" in a jailed shell to have unfettered access via procmail, so I would have to arrange for said user's procmail to run in an equivalent jail. It should by NO means be impossible, it "just" requires configuration. And procmail reads (IIRC, it's been a decade or two since I last seriously ran mail servers for pay) messages from stdin, so again it SHOULD be perfectly happy to work in a jail (or in a container, but it's probably SLIGHTLY more hassle getting that working).
My guess is that other "jailed shell" users use either IMAP or POP3 for mail access (if you as an nmh user cannot access the spool directory, neither can they, and there's basically four ways of getting the mail, "read the mail spool file", "read the mail spool maildir", "POP3" and "IMAP" (there may of course be more creative ways, but...) and it MAY be possible to jury-rig something that fetches via POP3, feeds that into procmail, and eventually into nmh.
(no subject)
Date: 2023-06-17 12:27 pm (UTC)> It retrieves mail (either all messages, or only unread messages)
from one or more POP3/IMAP4/SDPS servers for one or more email
accounts, and reliably delivers into a qmail-style Maildir, mbox
file or to a command (pipe delivery) like maildrop or procmail,
specified on a per-account basis. getmail6 also has support for
domain (multidrop) mailboxes.
(no subject)
Date: 2023-06-17 09:50 pm (UTC)(no subject)
Date: 2023-06-17 12:12 pm (UTC)(no subject)
Date: 2023-06-17 02:35 am (UTC)You'll need to mount a persistent volume, but presumably if they do all their hosting via container engines they're very accustomed to that.
You might not be able to run debuggers like gdb there.
I'm curious about the hosting service and what they offer, but that's just because I'm kind of a nerd about containers.
(no subject)
Date: 2023-06-17 02:49 am (UTC)Yeah, I sincerely doubt I would need CAP_NET_ADMIN, and I'm not planning on doing any substantive development on their platform. The whole point of the exercise is to rent a nice managed server (well, virtual server) and have someone other than me have root and the responsibility to use it. I want mostly just to read email, and maybe run the occasional cron job to back something up.
(no subject)
Date: 2023-06-17 02:56 am (UTC)Re: "root and the responsibility to use it", I'm really curious what their approach is to patching CVEs in non-kernel stuff, like if there are problems with openssl or bash or something else terrifying.
(no subject)
Date: 2023-06-17 03:05 am (UTC)Well, I think they don't allow users to install random packages. That's the basic concept with managed VPSes across the market: they basically have a fixed list of software they're willing to worry about. The whole premise of my giving them all this extra money is that come a second Heartbleed, they'll have some standing-by sysadmin make a flying leap, tackle my SSL package to the ground, rip its lungs out, and perform a field transplantation before I've had my first cup of coffee. I have no idea how this is done these days, but I assume it involves enterprise-scale monitoring and deployment and airily waves hand stuff.
(no subject)
Date: 2023-06-17 07:12 am (UTC)(no subject)
Date: 2023-06-17 07:53 am (UTC)(no subject)
Date: 2023-06-17 08:47 am (UTC)Things written to the file system, but outside of data areas that are explicitly persisted will simply be written to an overlay and disappear on container restart.
Technically, the difference between a BSD jail and a Linux cgroup (containers are basically built on top of cgroups) are mostly of the "well, we call different things different things", as far as I can tell.
A cgroup can go from "things in this cgroup are pinned to these CPUs, but otherwise not isolated", via dedicated process ID spaces (the processes are visible, with the PID that the actual kernel knows, but only processes within the process space are visible within the cgroup, and the process started to "pin" the cgroup shows up as PID 1), dedicated file system path namespaces, and dedicated network namespaces (so a container-local IP address and routing table, typically using either virtual ethernet ports and/or bridge groups to expose to the external world).
What is normally referred to as "a container" is basically a cgroup that has its own filesystem, process, and network namespace.
I hope that makes some sense, at least?
(no subject)
Date: 2023-06-17 12:18 pm (UTC)- a chroot jail or equivalent via a namespace constraint on the filesystem
- overlay filesystems
- namespace constraints on your processes
The most common type is the OCI mostly-standard: https://opencontainers.org/ but there are others.
(no subject)
Date: 2023-06-18 11:14 pm (UTC)